Hello Everyone,
I have a question. I have events like:
Mon Mar 19 20:16:03 2018 Info: Delayed: DCID 8414309 MID 19410908 From: <WeiZhang@example.com> To: <mcintosh@buttercupgames.com> RID 0 - 4.3.2 - Not accepting messages at this time ('421', ['4.3.2 try again later'])
I wrote a regex expression to cut email adresses from the events - <\w+@\w+.\w+>
How can I set this expression to get ONLY email addresses from logs? I need to do it on gettind data in phase, not after (I download data from simple txt file). Thank you.
Hi @bosseres,
You should use below settings on your props.conf and transforms.conf
props.conf
[your_sourcetype]
TRANSFORMS-clear_data = keep_email
transforms.conf
[keep_email]
REGEX = \<(\w+@\w+.\w+)\>
FORMAT = $1
DEST_KEY = _raw
Hi @bosseres,
You should use below settings on your props.conf and transforms.conf
props.conf
[your_sourcetype]
TRANSFORMS-clear_data = keep_email
transforms.conf
[keep_email]
REGEX = \<(\w+@\w+.\w+)\>
FORMAT = $1
DEST_KEY = _raw
Try adding the parameter max_match=0
base search | rex max_match=0 "regexexpression"
Thank you for responding.
I need to cut email adresses on adding data phase, not when it's already indexed.